CVE-2023-29212: 
Java vulnerability analysis and mitigation

CVE-2023-29212 is a critical vulnerability affecting XWiki Commons, which are technical libraries common to several other top-level XWiki projects. The vulnerability was discovered and disclosed in April 2023, affecting XWiki versions from 14.0 to versions before 14.4.7, and version 14.10.rc1. This security flaw allows any user with edit rights to execute arbitrary Groovy, Python, or Velocity code in XWiki, potentially leading to full access to the XWiki installation (GitHub Advisory, NVD).

The vulnerability stems from improper escaping of included pages in the included documents edit panel. The CVSS v3.1 base score is rated as 9.9 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) by NIST and CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code) by GitHub (NVD, GitHub Advisory).

The vulnerability allows attackers with edit rights to execute arbitrary code (Groovy, Python, or Velocity) within the XWiki installation. This can lead to complete system compromise as successful exploitation provides full access to the XWiki installation (GitHub Advisory).

The vulnerability has been patched in XWiki versions 14.4.7 and 14.10. Users are strongly advised to upgrade to these patched versions. For those unable to upgrade immediately, manual application of the security patch is available as a workaround (GitHub Advisory).